malwarewikiaorg-20200223-history
Maktub Locker
Maktub Locker is a ransomware that encrypts files. It comes with a beautifully designed GUI and few interesting features. Behavior Maktub Locker comes in a spam campaign, pretending to be a document with a Terms-Of-Service update. This time full packing have a consistent theme: name of the attachment is made to resemble a document (examples: “TOS-update-….scr”, “20160321_tos.scr”), also it has a a document-like icon. An trick used by this ransomware to spoof legitimate behavior is that it really displays a document! Specifically, a fake TOS update in .rtf format. Payload Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV,.gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted. When Maktub has finished encrypting the user's files, it will display a ransom note titled _DECRYPT_INFO_random.html. Text presented by the Maktub demanding a ransom within a pop-up window: WARNING! Your personal files are encrypted! Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the key. The server will eliminate the key after a time period specified in this window. Open hxxp://bs7aygotd2rnjl40.onion.link or hxxp://bs7aygotd2rnjl40.torstorm.org or hxxp://bs7aygotd2rnjl40.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1) Download TOR Browser from hxxp://torproject.org 2) In the Tor Browser open the hxxp://bs7aygotd2rnjl40.onion.link (Note that this server is available via Tor Browser only. Retry in hour if site is not reachable). Write in the following public key in the input form on server: The decryption site is broken up into 5 pages, with each page containing its own artistic theme. This artwork does not appear to have been designed by the ransomware developers as the logo was taken from a designer on Deviant Art. The first page of the decryption site is a brief introduction as to what happened to the victim's files. Text presented within this page: HELLLO! We're very sorry that all of your personal files have been encrypted. But three are good news - they aren't gone, you still have the opportunity to restore them! statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don't make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of yours files, you will need to pay a certain amount. But let'start with something else... The next page is the standard free decryption page. This particular ransomware offers 2 free decryptions rather than the standard one file. Text presented within this page: WE ARE NOT LYING! Googling " MAKTUB LOCKER" will instantly bring up many suggestions on deleting the program from your personal computer. But not one of the third party programs will be able to do the most important thing - to decrypt your files! In order to do this, you need to have the private master-key that only we have. And only we can restore all of your files. And to show that we aren't making unfounded statements, we'll prove it. Upload any encrypted file,no larger than 200kb, and we will decrypt it, absolutely free! File available to decrypt:2 The third page shows the different payment stages that the victim can go into. As more time goes on, the victim goes into the next payment stages with a higher ransom amount. Text presented within this page: HOW MUCH DOES IT COST? We hope that you are convinced that we can decrypt all of yours files. Now, the most important thing! The faster you transfer the money, the cheaper file decryption will be. At every stage of payment, you get 3 days or 72 hours. You can see the countdown in the right top corner. After the clock shows 00:00:00 you go to the next stage of payment and the price automatically increases. We only accept the electronix currency Bitcoin as a form of payment. Here is sa table that shows the date of payment and the price. Your current stage is marked in yellow. Stage Time of payment How much money should be sent 1 During the first 3 days x BTC 2 From 3 to 6 days x BTC 3 From 6 to 9 days 3333 4 From 9 to 12 days 102043 bytes 5 From 12 to 15 days 102043 bytes 6 More than 15 days 102043 bytes After 15 days of no payment, we do not quarantee that we saved the key. This site can be disconnected at any moment and you will lose your data forever. Please take this seriously. The fourth page will provide the unique bitcoin address that the victim must use to send the ransom payment. Text presented within this page: WHERE DO I PAY? The whole process of payment confirmation is automated! You won't have to wait while we manually check the status of the incoming payment. As soon as you send the money, it will only take a few hours for the system to automatically count them and create the program that will decode your file. After sending your payment just refresh this site after a couple of hours. You must transfer BTC to the following address: 1H6UDZapNPyipNHYgmGS89WvqbovvP8ny8 Finally, the fifth page is the standard how to buy bitcoins page. Text presented within this page: BITCOIN PURCHASE If this is the first time you heard of Bitcoin, don't dispair! Simply google this word and you will find all the answers. We can just recommend a few sites that will be of use to you. Buying Bitcoins- This page aims to be the best resource for new users to understand how to buy Bitcoins Localbitcoins (WU)- Buy Bitcoins with Western Union Coincafe.com- Recommended for fast, simple service. Payment Methods: Western Union, Bank of America, Cash by FedEX, Moneygram, Money Order. In NYC: Bitcoin ATM, In Person LocalBitcoins.com- Service allows you to search for people in your community willing to sell bitcoins to you directly btcdirect.eu- THE BEST FOR EUROPE coinrnr.com- Another fast way to buy bitcoins bitquick.co- Buy Bitcoins Instantly for Cash How to Buy Bitcoins- An international directory of bitcoin exchanges Cash Into Coins- Bitcoin for cash CoinJar- CoinJar allows direct bitcoin purchases on their site ZipZap- Global cash payment network enabling consumers to pay for digital currency Name Its name originates from the Arabic word maktub which means “this is written” or “this is fate”. The authors were probably trying to make a joke by referencing the act of getting infected with ransomware, hinting that it is uninvited and unavoidable, just like fate. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Trojan Category:Win32 trojan